Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Service Agreement between Customer ("Controller") and NEOAMYRA AI SOLUTIONS PRIVATE LIMITED operating as weya.ai ("Processor") under which Processor provides AI-powered customer experience services ("Services").
This DPA ensures compliance with India's DPDPA 2023 and provides equivalent protections for organizations subject to EU GDPR, CCPA, and other international data protection regulations.
Version: 1.0 | Effective Date: October 16, 2025
1. Definitions
"Applicable Laws" means all data protection laws including India's DPDPA 2023, EU GDPR, CCPA, and other applicable regulations.
"Controller" means the Customer who determines purposes and means of processing Personal Data.
"Processor" means NEOAMYRA AI SOLUTIONS PRIVATE LIMITED (weya.ai) who processes Personal Data on Controller's behalf.
"Personal Data" means any information relating to an identified or identifiable natural person processed by Processor on Controller's behalf.
"Personal Data Breach" means unauthorized access, loss, alteration, or disclosure of Personal Data.
"Processing" means any operation performed on Personal Data including collection, storage, use, analysis, transmission, or deletion.
"Sub-processor" means third parties engaged by Processor to process Personal Data.
"Data Subject" means individuals whose Personal Data is processed (Controller's customers, end users, contacts).
2. Scope of Processing
2.1 Purpose
Processor processes Personal Data solely to provide Services: AI-powered voice, WhatsApp, email, SMS automation, conversation analytics, CRM integration, and platform support.
2.2 Duration
Processing continues for the duration of the Service Agreement. Personal Data is retained for 90 calendar days then automatically deleted unless otherwise specified.
2.3 Data Categories
Data Subjects: Controller's customers, end users, employees, contacts.
Personal Data Types:
Contact information: names, phone numbers, emails, addresses
Communication content: call recordings, transcripts, WhatsApp/SMS/email messages
Technical data: IP addresses, device identifiers, session logs, timestamps
Interaction data: customer queries, conversation history, sentiment analysis, engagement metrics
Business data: transaction details, order information
Special Categories: Processor does not intentionally process sensitive data (health, financial, biometric, children's data) unless explicitly agreed in writing with additional safeguards.
3. Controller's Obligations
Controller warrants that it:
3.1 Has lawful basis and necessary consents to provide Personal Data to Processor.
3.2 Has provided Data Subjects with required privacy notices and transparency information.
3.3 Provides clear, documented processing instructions to Processor.
3.4 Ensures Personal Data provided is accurate, relevant, and lawfully obtained.
3.5 Is responsible for responding to Data Subject requests and regulatory inquiries.
3.6 Must export and backup any data needed beyond 90 days before automatic deletion.
3.7 Shall immediately notify Processor of consent revocations, complaints, or regulatory requests affecting Personal Data.
4. Processor's Obligations
4.1 Processing Instructions: Processor processes Personal Data only per Controller's documented instructions and as necessary to provide Services.
4.2 Confidentiality: All personnel with Personal Data access are bound by confidentiality obligations and receive data protection training.
4.3 No Unauthorized Use: Processor does not use Personal Data for own purposes except anonymized data for service improvement (Controller may opt out).
4.4 Security Measures: Processor implements appropriate technical and organizational measures including:
AES-256 encryption at rest, TLS 1.2+ in transit
Multi-factor authentication and role-based access controls
Network security: firewalls, intrusion detection, monitoring
Regular security audits, penetration testing, vulnerability management
Incident response and business continuity procedures
4.5 Assistance: Processor provides reasonable assistance for Controller to:
Respond to Data Subject requests
Conduct data protection impact assessments
Comply with breach notification obligations
Demonstrate compliance with Applicable Laws
4.6 Notification: Processor immediately informs Controller if processing instructions violate Applicable Laws.
5. Sub-processors
5.1 Authorization
Controller authorizes Processor to engage Sub-processors listed in Annexure III. Processor remains fully liable for Sub-processor compliance.
5.2 Current Sub-processors
Sub-processor
Service
Location
Amazon Web Services (AWS)
Cloud hosting, infrastructure
Global (Asia-Pacific primary)
Microsoft Azure
Backup, disaster recovery
Global
Google Cloud Platform
AI/ML processing
Global
Twilio
Voice telephony
Global
Plivo
Voice services India/APAC
India, Asia-Pacific
Plivo
SMS, voice connectivity
Global
Meta (WhatsApp Business API)
WhatsApp messaging
Global
Regional SMS Providers
SMS delivery
As per region
Signoz
Monitoring, error tracking
US, EU
SendGrid / Amazon SES
Transactional emails
Global
Stripe / Razorpay
Payment processing
Global / India
Hubspot
CRM
Global
5.3 Changes
Processor notifies Controller 30 days in advance before engaging new Sub-processors. Controller may object within 15 days on reasonable data protection grounds. Parties shall work in good faith to resolve concerns or allow termination of affected Services without penalty.
6. International Data Transfers
Personal Data may be transferred to India, United States, EU, and other jurisdictions where Processor or Sub-processors operate.
Transfer Safeguards:
EU Standard Contractual Clauses for EEA transfers (Schedule 1)
Adequacy decisions where available
Contractual protections with Sub-processors
Encryption and access controls
Controller authorizes such transfers subject to these safeguards. Data residency customization available upon request (may incur additional costs).
7. Data Retention and Deletion
7.1 Standard Retention
Personal Data is automatically deleted 90 calendar days after creation/upload from all systems including databases, backups, and logs.
7.2 Scope of Deletion
Call recordings and voice data
Conversation transcripts
User metadata (phone numbers, emails, names)
System logs containing Personal Data
7.3 Deletion Method
Secure, irreversible deletion using industry-standard techniques preventing data recovery.
7.4 Anonymized Data
Non-identifiable aggregated data may be retained for service improvement and AI training unless Controller opts out.
7.5 Client Backup Responsibility
⚠️ Controller must export data needed beyond 90 days. Processor cannot recover data post-deletion. Export tools available in dashboard.
7.6 Upon Termination
Personal Data deleted within 7 business days from live systems, with backups deleted within 30 days.
8. Personal Data Breach Notification
8.1 Processor Obligations
Upon discovering a Personal Data Breach, Processor shall notify Controller within 48 hours including:
Nature and circumstances of breach
Categories and approximate number of affected Data Subjects
Likely consequences and impact
Measures taken and proposed to address breach
Contact information: support@weya.ai
8.2 Updates
Processor provides updates every 72 hours until breach resolved.
8.3 Controller Responsibility
Controller remains responsible for notifying Data Subjects and Supervisory Authorities as required by Applicable Laws (e.g., GDPR: 72 hours to DPA).
8.4 Cooperation
Processor cooperates with Controller's breach response, regulatory inquiries, and provides documentation. Notification does not constitute admission of liability.
9. Data Subject Rights Support
9.1 Controller's Primary Role
Controller is responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection).
9.2 Processor Assistance
Upon Controller's written request, Processor provides assistance within 10 business days including:
Exporting Data Subject's Personal Data (CSV, JSON, PDF formats)
Updating or correcting data as instructed
Deleting specified Data Subject's data
Restricting processing temporarily
Providing processing records
9.3 Limitations
Processor does not verify Data Subject identity (Controller's responsibility)
Cannot recover data already deleted per retention policy
Assistance for reasonable requests included; excessive requests may incur fees
10. Audit Rights
10.1 Documentation Requests
Controller may request compliance documentation including security policies, certifications (ISO 27001, SOC 2), audit reports, and Sub-processor agreements. Processor responds within 15 business days.
10.2 Third-Party Audit Reports
Processor undergoes regular independent audits. Controller may satisfy audit rights by reviewing current SOC 2 Type II reports and security certifications.
10.3 On-Site Audits
Controller may conduct on-site audits with 30 days' prior notice, maximum once per year unless required by breach or regulatory mandate. Audits must not unreasonably interfere with operations. Controller bears audit costs.
11. Term and Termination
This DPA remains effective while Processor processes Personal Data for Controller.
Upon Termination:
Personal Data deleted within 7 business days from live systems
Backup deletion within 30 days
Exception: Legal retention obligations
12. Changes to DPA
Processor may update this DPA to meet legal or operational requirements. Material changes require 60 days' notice to Controller via email and website posting. Continued use after notice period constitutes acceptance.
13. Governing Law and Jurisdiction
This DPA is governed by Indian law. Processor is subject to India's DPDPA 2023 and provides equivalent protections for organizations under GDPR, CCPA, and other international regulations. This DPA serves as Article 28 processor agreement for GDPR-subject clients.
In case of conflict between this DPA and Service Agreement, this DPA prevails for data protection matters.
Contact Information
Data Protection Inquiries: support@weya.ai
Security Incidents: support@weya.ai
Phone: +91 88025 39664
Address: D-241, Sector 110, Noida - 201301, Uttar Pradesh, India
SCHEDULE 1 - EU STANDARD CONTRACTUAL CLAUSES
[For clients subject to GDPR requiring transfers outside EEA, the EU Standard Contractual Clauses (2021 version) apply and are incorporated by reference. Full SCCs available upon request.]
MODULE TWO: Controller to Processor
ANNEX I - Processing Details
Data Exporter (Controller): Customer as identified in Service Agreement
Data Importer (Processor): NEOAMYRA AI SOLUTIONS PRIVATE LIMITED
Processing Activities: AI-powered voice, WhatsApp, email, SMS services; conversation analytics; CRM integration; platform support
Data Subjects: Customer's end users, customers, contacts, employees
Personal Data Categories: Contact info, communication content, technical data, interaction data, business transaction data
Special Categories: None unless explicitly agreed
Frequency: Continuous
Duration: As per Service Agreement
Purpose: Provide Services described in Agreement
ANNEX II - Security Measures
Encryption: AES-256 at rest, TLS 1.2+ in transit
Access controls: MFA, role-based access, principle of least privilege
Network security: Firewalls, IDS/IPS, DDoS protection
Monitoring: 24/7 SOC, automated threat detection, audit logging
Regular security assessments, penetration testing, vulnerability management
Incident response and business continuity procedures
Personnel security: Confidentiality agreements, background checks, training
Secure cloud infrastructure (AWS/Azure/GCP) with ISO 27001, SOC 2 certifications
ANNEX III - Sub-processor List
See Section 5.2 of main DPA.
Competent Supervisory Authority: As determined by Data Exporter's establishment location under GDPR Clause 13.
